The U.K’s data protection watchdog, the Information Commissioner’s Office (ICO), recently identified the Newcastle Youth Offending Team for failing to safeguard the information of some 100 young people on a stolen laptop.
The Youth Offending Team is a local crime prevention program that works to identify troublesome areas for young people. The program focuses on such areas as prevention, education, racial equality and restorative justice, among others.
According to a statement from the ICO, the Youth Offending Team failed to encrypt information on a laptop that contained the personal information of young people involved with the program. The laptop was reportedly stolen from the home of a contractor in January.
Information contained on the laptop included the young people’s names, addresses, birth dates and school information, the ICO stated. When the ICO investigated the situation, it said, the Youth Offending Team had failed to assess the contractor thoroughly enough to ensure that it had the proper data security measures in place.
“This case also highlights how important it is to ensure that watertight procedures are in place before any work is undertaken by contractors,” said ICO head of enforcement Sally-Anne Poole. “Organizations shouldn’t simply assume that third parties will handle personal data in line with their usual standards.”
Encryption is one of the most basic, yet effective, data protection measures an organization can employ. As a result, it is also one of the most widespread. Though the Youth Offending Team failed to ensure its contractor used encryption, the ICO noted that the organization is now taking steps to require all contractors comply with the regulations set out by the country’s Data Protection Act (DPA).
“I’m pleased that Newcastle Youth Offending Team has learned lessons from this incident and hope that it encourages others to heed our advice,” Poole added.
This information comes just days after the U.K.’s Justice Committee called for tougher penalties for those who violate the DPA. Based partially on testimony from Information Commissioner Christopher Graham, the committee published a report stating that current penalties – which typically include fines – are not strict enough to DPA offenders. Instead, the committee has suggested judges punish some offenders with jail time.
Graham added that the ICO needs to be able to compel organizations – both in the private and public sector – to undergo audits. Such a measure would allow the ICO to review an organization’s data protection practices and offer recommendations without imposing sanctions.
Security News from SimplySecurity.com by Trend Micro